The bug was found in an encryption method used on about two-thirds of all websites, including Google, Amazon, Yahoo and Facebook, potentially exposing web traffic, user data and stored content to cyber criminals.

Although the bug has been around for three years, we are told there is so far no evidence that a hacker has exploited the flaw.

OpenSSL has released an update to repair the flaw and companies must update their software to be safe. Those companies include:

Google, which said it had fixed the flaw in key Google services and Facebook by adding protections even before the heartbleed bug was publicly disclosed.

Yahoo said it had “made the appropriate corrections” to its main properties and was working to fix its other sites.

Matthew Prince, chief executive at Cloudflare, a company that provides a security barrier for about 5% of web requests, said it had fixed its encryption after being alerted last week.

But even those who fix the software cannot necessarily see if a hacker has already used the vulnerability to access their systems.Netcraft, which monitors what code is used in each site, said more than half a million trusted websites were vulnerable to the bug.

Prince said “This is very bad and it may be extremely bad. This is one of the really bad internet bugs ever.” He warns that the flaw could affect “almost everyone” as the software is used by more than 60% of all websites. The flaw could have allowed hackers to read everything in a computer’s memory. Researchers had found the vulnerability could be used to read people’s Yahoo emails, but Prince says they still do not know if the keys to other secure information have also been found, which could render protection of anything from intellectual property to credit card details useless. “The nightmare scenario that everyone is worried about is if it also allows access to the store of core cryptographic keys which allow organisations to keep data stores. If the keys have been accessible, companies may have to replace all these secret codes that guard their information.”

I suggest that you not wait for companies to fix their software. Go to your various online accounts and change your passwords!

UPDATE (April 11, 2014):

As reported by the Daily Mail, a German computer programmer Dr Robin Seggelmann has come forward admitting that he had written the Heartbleed code which contained an error overlooked by reviewers, and added to the OpenSSL software on New Year’s Eve in 2011. No one spotted the mistake until earlier this month.

Affected sites include a number of Google services, including Gmail and YouTube, Facebook, Tumblr, Yahoo and Dropbox. All of these sites have been patched and security experts are advising people to change their passwords on these accounts, even if the sites themselves aren’t issuing the advice. Yahoo is the only major site that has explicitly said its users should change their password.

Sites that don’t use the OpenSSL software are not affected by the flaw. This includes PayPal, Microsoft accounts and Twitter.

However, there are still thousands of websites who are yet to fix the problem, or officially announce the fix – leaving their users in limbo.

UPDATE (April 12, 2014):

Surprise! (Not)

Michael Riley reports for Bloomberg that Obama’s National Security Agency knew for at least two years about the Heartbleed bug but kept the bug secret, and regularly exploited it to gather “critical” intelligence, two people familiar with the matter said.

If the website owner has not security patched against this backdoor trojan, changing online accounts’ passwords will not safeguard or even mitigate the exploits from this virus. The cryptographic keys on the vendors SSL software are stolen by the heartbleed bug which can include the codes on individual user accounts. The hacker need only rewrite the encrypted code of a password to access your present or future private information. Both your vendor and you wouldn’t know there is a security vulnerability.

The bad news:
The Heartbleed malware determines what antivirus software is installed, then customises its own behaviour (for example, by changing the filename extensions it uses) to reduce the probability of detection by that software.

The method used to inject code into various processes is stealthy, in that the Heartbleed malware modules do not appear in a listing of the modules loaded into a process and malware memory pages are protected with READ, WRITE and EXECUTE permissions that make them inaccessible by user-mode applications.

Heartbleed is not designed to deactivate automatically, but supports a “kill” function that makes it eliminate all traces of its files and operation from a system on receipt of a module from its controllers

In other words modules in Heartbleed’s source code “boost” information gathering and are pure stealth.

The good news:
The Heartbleed virus was discovered by software engineers and administrators some 2 years ago, and to date most, but not all people in the online software industry know it is still a severe ongoing threat.
All the big mainstream Internet providers and website IT vendors now have the Heartbleed virus security blocked.

Users concerned that they may have their PC operation systems infected by the Heartbleed bug should contact their OS and/or Anti virus software vendors customer services. They will offer free practical advice and online tools to thoroughly test and check your OS and personal files.

I have to say I question if this “virus” even exists, what proof do we have that it does? Not that it really matters, because “computer security” is what one might call a oxymoron, computers have a fundamental flaw that makes them vulnerable, that flaw is internet connectivity, anything that has any level of connectivity to the internet is already hackable, the only difference is how much someone wants to try to get in. Any system designed to connect, can be connected to with the right tricks, firewalls can be mitigated, SSL and SSH can be broken through, etc. This is not to say don’t have security measures, (they can keep out novice would-be script kiddies or frustrate other efforts of those who don’t have patience) but rather to say that one shouldn’t presume that any computer is “secure”, and understand most company’s slogans of “complete security” are hot air/sales jargon.

To the subject at hand though, I have to say I question this “vulnerability”, and here’s why:

If the vulnerability has been known about for so long, why is it making news only now, and furthermore why is it that so many companies, if already having knowledge of the problem, are only just now “patching” the software?

How do we know the “patch” is not something malicious *to* exploit a vulnerability in SSL (Like for intelligence agencies, who may be nervous that the NSA leaked documents may lead to “fixes” for their previously established means of data collection.), and that the scare tactic to “patch” is being employed to ensure the maximum number of systems compromised? How can we check the integrity of SSL ourselves to make sure what we’re being told is legitimate and not a fish story (or perhaps, phish story)?

SSL is already compromised by the most undesirable parties (NSA etc.) why are they trying to scare everyone right now, suddenly, with what amounts to an “ancient” (in computer terms) exploit?

I say this because things such as antivirus companies do make software that is compromised, besides making software for exploiting known holes, consider how symantec, the maker of the vile memory-hog “norton antivirus” was hired to make malware for U.S. spy agencies, which was called “Magic Lantern”. There is a similar case with PGP being compromised by the NSA in more recent times, despite their continued insistance that their software is not so. Consider also why the navy and state department continue to invest in TOR, despite the fact that its purpose is for mitigating identification and for enforcing “privacy” (which we know the navy and state department are decidedly *against*). Perhaps we should aslo consider why smart/camera phones, and indeed all cell phones, have fundamental vulnerabilities to the very time of posting this, that permit outside sources to control the device remotely, down to turning on it’s microphone or camera, and using them, without the person holding the device ever being aware of it. (Why waste money paying spies, when the citizenry can be induced to spy on themselves with a bunch of thinly veiled “tech toy” entertainment devices that are bugged as part of their design?) This has far greater implications when one remembers that microphones can be utilized to broadcast sound frequencies we can’t hear, which can be used to send and recieve data, even to “air gapped” computers with speakers/microphones installed.

We shouldn’t be frightened of “hackers” which the govstapo uses the same way they’d use “osama bin laden” or “terrorist”, it’s a buzzword, and like the real world, there are good and evil out there, and one should never trust blindly.

Thank you Seumas,
An excellent post about Internet security and the malevolent forces that undermine information communications privacy.

The price of software Internet privacy for the people masses is the smokescreen that generates profit for the malevolent information harvesting controllers who also own the very information & technology companies that sell us our communications security.

The “Internet” originated from the brains of scientists at Southern California’s Viterbi School of Engineering in 1972 with funding from more than 20 U.S. federal government agencies, including the Department of Defence Advanced Research Projects Agency (DARPA), National Science Foundation (NSF), and the Department of Homeland Security – shows how untoward the the whole Internet thing is today.

The Viterbi School of Engineering is attached to The Information Sciences Institute (ISI) – a research and development unit of the University of Southern California. ISI helped develop the Internet, including the Domain Name System and refinement of TCP/IP communications protocols.

In 1989, scientist, Tim Berners-Lee invented of the World Wide Web. Berners-Lee is the director of the World Wide Web Consortium (W3C), which oversees the Web’s continued development. He implemented the first successful communication between a Hypertext Transfer Protocol (HTTP) client and server via the Internet. Throughout the next 10 years the private banking and financial sectors controlled the means to proliferate big corporation e-commerce education and entertainment for online profit. Corporation brands such as eBay, Amazon, Yahoo and Microsoft were now the dominant places that the people mass social net workers frequented to buy their lifestyles.

If the people masses like the Internet – tax it. If they like it a lot – regulate it. If they love it – clampdown on it. If they protest – ban it. This is the message of the Internet owning controlling elite to their puppet governments.

To police the Internet, in 1989 the ICI established the “Internet Corporation for Assigned Names and Numbers (ICANN). A so-called nonprofit organisation that coordinates the Internets global domain name system. The “Internet Assigned Numbers Authority” (IANA) is a department of ICANN responsible for managing the DNS Root and the numbering system for IP addresses. ICANN is responsible for the coordination of maintenance and methodology of several databases of unique identifiers related to the name spaces of the Internet, and ensuring the network’s stable and SECURE operation. ICANN has political and operational targets. Realised by the introduction of new top-level security software website domains, charges to domain registries, and fees for domain name registrations, renewals and transfers.

To date 2014, experts working for ICANN have recommended that the present form of Whois, a utility that allows anyone to know who has registered a domain name on the Internet, be scrapped. It recommends it be replaced with a system that keeps information secret from most Internet users, and only discloses information for “permissible purposes”. ICANN’s list of permissible purposes includes Domain name research, Domain name sale and purchase, Regulatory enforcement, Personal data protection, Legal actions, and Abuse mitigation. Whois has been a key tool of investigative journalists interested in determining who was disseminating information on the Internet. The use of whois by the free press is not included in the list of permissible purposes, but nonetheless the free press remain a political target for clampdown.

The ICI/ICANN is not about spying (although they are complicit in it). No. They are all about control of the people masses by surveillance of their information. And what better way to control the activists among the people masses, by using the collected personal information of them against them? It is within the realms of ICI resources and intelligence to create “super viruses” such as FLAME and HEARTBLEED to enable secret harvesting of personal information from anybody using a PC or other device with wired or wireless Internet connection.

One must also consider Big Brother Internet is now very busy investing in the means to compact the everyday zillions of digital bytes of information into manageable hardware space. The cross referencing and collation of anybodies individual information from all sources in the ether of communications is already a reality. Think blogging, texting, banking, shopping loyalty cards, club or party membership, smart meters and CCTV to name some.

Big brother knows you ate some food last week that was exported from a country under international sanctions. Don’t think it is a joke the powers that be can use this information to undermine you. It’s no joke.

Thank you Dr Eowyn,
Your updated advice about this virus matter is appreciated.
Does this German computer programmer work for the ICI/ICANN, I wonder?
(read my article above about the birth of the brains behind the Internet)

Michael Riley reports for Bloomberg that Obama’s National Security Agency knew for at least two years about the Heartbleed bug but kept the bug secret, and regularly exploited it to gather “critical” intelligence, two people familiar with the matter said.